Good stuff Brad, I'm also using the OpenVPN redirect default gateway option. The problem is that it forces everything to go over the endpoint (in my case in the US). So if I understand correctly you're able to just restrict Skype to use the vpn but everything else goes out directly?
Anyway I agree, Skype runs beautifully over vpn, the quality is perfect. Greetings, Michael --- In [email protected], Brad Campbell <[EMAIL PROTECTED]> wrote: > > Well, after months of partial usage, farting about and general unreliability I've discovered the > *reliable* way to get skype to work is to force _all_ its traffic over a vpn. It's a bit of a > painful process, but at least it works very reliably and the audio quality is superb. *yay* > > (Oh, but I'm only 300ms away from my vpn end point - which helps a great deal) > > The trick is to prevent any traffic leaving your machine except over the vpn. This is a bit of a > bear (or would appear so) as it means you need to use the vpn for all your general traffic needs. > > Not so though. > > iptables has a funky match called "owner".. so with > > $IPTABLES -A OUTPUT -o eth0 --match owner --uid-owner 1001 -d 10.8.0.0/16 -j ACCEPT > $IPTABLES -A OUTPUT -o eth0 --match owner --uid-owner 1001 -d 192.168.0.0/16 -j ACCEPT > $IPTABLES -A OUTPUT -o eth0 --match owner --uid-owner 1001 -j DROP > > I can prevent uid 1001 (who happens to be the user "skype" on my system) from accessing the outside > world, while giving them full access to my vpn (10.8.0.0/16) and the local network (192.168.0.0/16). > > Now I set up the skype user with ssh and the requisite keys in ~/.ssh/authorized_keys, make sure > "skype" is in the "audio" group, have the http proxy configured in skypes options and with a simple > "ssh [EMAIL PROTECTED] skype" I have a fully functioning client that does not interfere with the > normal functioning of my day to day system. > > The first time you login it can take a while for skype to realise its trapped in a sandbox and force > all traffic over the proxy but once its done that you are apples > > I guess I could chmod the skype executable into the "skype" group and iptables match on that, which > would remove the need for a separate user, but then I'd have to remember to do that every time I > upgrade (and this is working now). > > Brad > -- > "Human beings, who are almost unique in having the ability > to learn from the experience of others, are also remarkable > for their apparent disinclination to do so." -- Douglas Adams >
